TechSpot

Backdoor.Tidserv!Inf Virus

Solved
By hammer1
Jun 3, 2010
Topic Status:
Not open for further replies.
  1. I have an XP Pro box that is infected. I run Symantec AV and the auto protect detects this bug in the D: partition which is the recovery partition. Symantec does a partial cleanup on the bug, but cannot remove the files infected. I have run ESET and Malwarebytes. I will now run GMER and DDS and post the result logs.
     
  2. hammer1

    hammer1 TS Rookie Topic Starter

    Here are the log file results. I did both a quick scan with Malwarebytes and also a full scan on the D: drive which is where Symantec is saying the infection lies.
     

    Attached Files:

  3. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    It may be false positive.
    Can you post more details about a file name and its location?
     
  4. hammer1

    hammer1 TS Rookie Topic Starter

    Symantec reports four infections in the A0058759.sys file inside the recovery D: partition. I will see if I can get any more information for you from the Symantec logs. Thank you.
     
  5. hammer1

    hammer1 TS Rookie Topic Starter

    Should I try to clean the restore points and see if this clears up the Symantec hits?
     
  6. Broni

    Broni Malware Annihilator Posts: 46,860   +254

  7. hammer1

    hammer1 TS Rookie Topic Starter

    This is a protected partition with PC Angel... something that the original Gateway did to their recovery partitions to "protect" them. I guess it protects against the owner, not viral attacks! How would I get to this file to check it?
     
  8. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    Since this is locked recovery partition, there is really not much of a chance for any malicious program to write into it.
    Recovery partition contains everything what came preinstalled on your computer.
    It may be some game, which contains some adware (pretty common), so I really would worry much about it.

    Let's run one extra scan...

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  9. hammer1

    hammer1 TS Rookie Topic Starter

    Broni

    I ran the Kasperski scan and it did not find anything. Every single scan that I have run does not hit on this! I went forward and cleaned out the restore points other than the current... I did the restore point clean on both the C: and D: drives.

    Fingers crossed, but I believe this has removed it. I have not had another Symantec hit since I did the restore point cleanup on Friday. I am still not fully understanding this PC Angel. Even though it is "locked", it still places restore info into that partition?

    Thanks again Broni for your assistance. This was a bizarre one!
     
  10. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    First of all, as instructions say, you shouldn't be doing anything on your own.
    For instance, we reset restore points at the very end, when we're 100% sure, the computer is clean.
    In your case, the computer seems to be clean, so no harm done, though :)
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.